Diagnostic and Recovery Toolset (Part 5)

by [Published on 19 May 2011 / Last Updated on 19 May 2011]

The final article in this series demonstrates how to use the Crash Analyzer tool of Microsoft DaRT 6.5 for troubleshooting Windows-based computers that blue-screen when you try to boot them.

If you would like to read the other parts in this article series please go to

In the previous articles of this series we've learned about Microsoft's Diagnostic and Recovery Toolset (DaRT), how to install DaRT, how to create a bootable DaRT CD, and how you can use the DaRT tools on your DaRT CD to try to resolve issues preventing Windows-based computers from booting successfully. This final article examines one more DaRT tool, the Crash Analyzer, which you can use to troubleshoot  Windows-based computers that blue-screen when you try to boot them.

How Crash Analyzer Works

Crash Analyzer works by analyzing the memory dump file saved on your hard drive when your Windows-based computer fails to boot properly and blue screens (displays a stop message). Of course, if you've configured Windows to not save a memory dump file, then Crash Anaylzer won't be of any use to you! To learn how to configure memory dump settings on Windows, see this KB article. And to configure memory dump settings on a Windows Server Core installation, see this TechNet article.

Using Crash Analyzer

There are two different ways you can use Crash Analyzer to analyze a memory dump:

  • Boot the problem computer using your bootable DaRT media and launch Crash Analyzer from the MSDaRT Tools screen. This is the approach used in the section below.
  • Copy the memory dump file from the problem computer to the computer you installed DaRT 6.5 on (see Part 2 of this series). Then launch the standalone version of Crash Analyzer by clicking Start, All Programs, Microsoft Diagnostics and Recovery Toolset, ERD Commander Boot Media Wizard.

The second approach is useful if the computer you are analyzing doesn't have access to the Debugging Tools for Windows or to the symbol files for the installed version of Windows. That's because there are two prerequisites for running Crash Analyzer:

  • You'll need the Debugging Tools for Windows, which you can include on your DaRT CD as described in Part 2 of this series.
  • You'll need access to the symbol files for the installed version of Windows, which can be downloaded from Microsoft if you have Internet connectivity on the network where your problem computer resides since DaRT automatically acquires an IP address from a DHCP server if there is one, or if needed you can manually configure an IP address using the TCP/IP Config tool on the MSDaRT Tools screen.

For the walkthrough below we'll assume the Debugging Tools for Windows are already included on our DaRT CD and that DaRT has access to the Internet so the symbol files can be downloaded.

Running Crash Analyzer on the Crashed Computer

Below is an example of a blue screen from a Windows 7 computer that won't boot:


Figure 1: This computer won't boot and displays a blue screen (stop screen).

To be honest, this isn't a real-world situation. Instead, I installed and ran NotMyFault, a freely available Windows Sysinternals tool, to install a driver that crashes the system. You can download NotMyFault from the Book Tools section of this page on TechNet.

The important thing is that my computer won't boot, so before I attempt a repair using other DaRT tools, I should first run Crash Analyzer to try to find out why the system won't boot. We'll begin by booting the failed system using the DaRT CD we created in Part 2 of this series, then proceed through the various dialogs until the MSDaRT Tools screen is displayed:


Figure 2: The MSDaRT Tools screen.

To run the Crash Analyzer tool on the problem computer, click the link by that name on the above screen. This launches the Crash Analyzer Wizard:


Figure 3: Step 1 of running Crash Analyzer on a computer that won't boot.

The next screen lets you browse to select the Debugging Tools for Windows, which should be located in memory on X: drive in the path shown below:


Figure 4: Step 2 of running Crash Analyzer on a computer that won't boot.

The next screen lets you download the symbol files needed to map memory addresses to names so you can better understand the results of the debugging process:


Figure 5: Step 3 of running Crash Analyzer on a computer that won't boot.

The next screen lets you browse to select the memory dump file on your failed system:


Figure 6: Step 4 of running Crash Analyzer on a computer that won't boot.

Note that there may be more than one memory dump file on your system. In that case, be sure to select the most recent one, which may be either a full or small (minidump) file:


Figure 7: Step 5 of running Crash Analyzer on a computer that won't boot.

Clicking next causes the symbol files to be downloaded from Microsoft, after which the debugging tools automatically analyze the memory dump file:


Figure 8: Step 6 of running Crash Analyzer on a computer that won't boot.

The Analysis Summary screen tells us below that the crash is probably being caused by a bad device driver named myfault.sys:


Figure 9: Results of running Crash Analyzer on the computer.

Clicking the Details button on the Analysis Summary screen above opens an Analysis Details dialog that provides more information. For example, the Crash Message tab gives us the crash code and related information:


Figure 10: The Crash Message tab of the Analysis Details dialog.

The Loaded Drivers tab provides details concerning all device drivers installed when the system crashed:


Figure 11: The Loaded Drivers tab of the Analysis Details dialog.

The Advanced tab provides additional details for advanced users concerning the crash:


Figure 12: The Advanced tab of the Analysis Details dialog

The final screen of the Crash Analyzer Wizard offers some suggestions on how to resolve the problem:


Figure 13: Crash Analyzer recommendations for resolving the problem.

Let's try suggestion #3 that Crash Analyzer provided, that is, let's try disabling the problem driver MyFault.sys and see if the computer will boot. To do this, click Finish to close the Crash Analyzer Wizard and return to the MSDaRT Tools screen, then click the Computer Management link to open Computer Management on the problem computer. Look under Services and Drivers in Computer Management and select Drivers, then scroll to select the problem driver MYFAULT in the right-hand pane. Then right-click on MYFAULT and select Properties as shown here:


Figure 14: Step 1 of disabling the problem driver MyFault.sys.

A dialog opens displaying the configured settings for the MYFAULT driver:


Figure 15: Step 2 of disabling the problem driver MyFault.sys.

Change the Startup Type from Manual to Disabled as shown here:


Figure 16: Step 3 of disabling the problem driver MyFault.sys.

Now close all dialogs and exit DaRT. Restart the computer and it should boot properly. Now you can use other DaRT tools to troubleshoot additional issues if needed.

Conclusion

This short series of articles has demonstrated how to use Microsoft's Diagnostic and Recovery Toolset (DaRT) to troubleshoot various issues on Windows-based computer. DaRT 6.5 is included as part of the Microsoft Desktop Optimization Pack (MDOP) 2009 R2 which is available exclusively to Microsoft Software Assurance (SA) customers as an add-on subscription (see here for details). MDOP is also available to MSDN and TechNet subscribers for test and evaluation purposes in accordance with MDSN and TechNet agreements. Finally, the next release of DaRT (version 7.0) is now currently in beta and can be downloaded from Microsoft Connect. See this post on the Official MDOP Blog for more information.

If you would like to read the other parts in this article series please go to

The Author — Mitch Tulloch

Mitch Tulloch avatar

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions.

Latest Contributions

Advertisement

Featured Links